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We study the security of quantum string commitment (QSC) protocols with group covariant 
encoding scheme. First we consider a class of QSC protocol, which is general enough to incorporate 
all the QSC protocols given in the preceding literatures. Then among those protocols, we consider 
group covariant protocols and show that the exact upperbound on the binding condition can be 
calculated. Next using this result, we prove that for every irreducible representation of a finite 
group, there always exists a corresponding nontrivial QSC protocol which reaches a level of security 
impossible to achieve classically. 
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I. INTRODUCTION 

Commitment is an important building block of clas- 
sical cryptographic protocols. Informally, commitment 
protocols in general provide the function of a safe or 
envelope that can be exchanged over a communication 
channel; first the sender Alice sends an evidence of data 
x of her choice to the receiver Bob without revealing x 
itself. After some time Alice will reveal x, and then Bob 
can verify that it is indeed the original value of x that 
she chose by inspecting the evidence received before. 

With the help of computational intractability assump- 
tions, such task can easily be realized, in such a way 
that the secrecy of x against Bob and the unchangeability 
(the binding condition) of x by Alice are both perfectly 
fulfilled[lj. However, when it comes to the construction 
of unconditionally secure protocols, things change dras- 
tically. It was proved by Lo and Chau[2(, and also by 
Mayers independently j^], that such a protocol with per- 
fect secrecy and binding, or the so-called bit commitment 
(BC), is in fact impossible even by quantum protocols. 

Among many attempts to circumvent this no-go the- 
orem, we focus here on quantum string commitment, or 
QSC for short0, 0, 0. In QSC protocols, the sender is 
supposed to commit n > 1 bits of data in a single session 
of protocol, and we are no more interested in fulfilling 
both the secrecy and the binding conditions perfectly. 
Instead we study a trade-off between the two conditions. 
In general, partial information about x, say b bits, may 
be accessible to Bob prior to the reveal phase, and on 
the contrary, Alice may be able to change a bits after 
the commitment phase. Still, as long as a + b < n, such 
a scheme provides a nontrivial quantum cryptographic 
protocol in that it reaches a classically impossible level 
of security. Indeed a number of protocols have been ob- 
tained that are nontrivial in this sense 0,0,0. 

In this paper, we consider QSC protocols which have 
group covariant commitment state p^'s and study its se- 
curity in terms of the security criteria given by Buhrman 
et al.0. First we consider a class of QSC protocols, 



which is general enough to incorporate all the QSC proto- 
cols defined explicitly in the preceding literatures. Then 
we show that if the encoding scheme for such protocol is 
covariant under an irreducible representation of a group 
G, one can calculate the exact upper bound on its bind- 
ing condition. Next combining this result with the well- 
known theorems for quantum optimum detection prob- 
lem with covariant input states, we prove that for every 
irreducible representation of a finite group G, there al- 
ways exists a nontrivial QSC protocol. In other words, 
we demonstrate how to construct infinitely many types 
of nontrivial QSC protocols with a + b < n. 

II. QUANTUM STRING COMMITMENT 

A. Description of Protocol 

A quantum string commitment (QSC) protocol is a 
quantum communication protocol between two parties, 
the sender Alice and the receiver Bob, which consists of 
two stages, the commit phase and the reveal phase. 

• (Commit Phase) If both parties are honest, Alice 
chooses a string x € {0, 1}™. From Bob's point 
of view, string x has probability p x . Alice and Bob 
communicate. Let p x denote Bob's state at the end 
of the protocol if Alice committed string x. 

• (Reveal Phase) If both parties are honest, Alice 
sends x and other reveal information to Bob. Bob 
accepts. 

In addition, for the sake of simplicity, we assume that 
honest Alice chooses x S {0, 1}™ with a uniform distri- 
bution p x ~ 2~ n . 

B. Security Requirements 

As was the case for bit commitment, there are two con- 
ditions of security for quantum string commitment, that 
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is, the secrecy condition and the fomdmocondition. While 
there are various ways of defining them|j,|5|,|6j], especially 
for binding, in this paper we use the most simple of them 
given in Ref.Q, based on accessible information / acc . 

The concealing condition, or the secrecy, deals with 
cases where Alice is honest. Malicious Bob in general 
does anything possible to obtain information regarding 
x prior to the reveal phase, and in order to discuss the 
security there, we want to bound the amount of his in- 
formation from above. The relevant quantity for such 
purpose is the accessible information / acc for the ensem- 
ble of commitment states £ = {p x , p x }. 

Definition 1 (Concealing Condition) A QSC proto- 
col is b-concealing if i acc (£) < b. Here I acc (£) is Bob's 
accessible information measured at the end of the commit 
phase. 

As pointed out by Buhrman et al. , the stronger notion 
of Holcvo Information \ is not appropriate for this pur- 
pose since in many cases \ overestimates I aC c and can set 
b larger than the reality. 

On the other hand, the binding condition applies when 
Bob is honest. It is possible that malicious Alice may 
postpone her decision on the value of x until after the 
commit phase, and try to reveal one of several different 
values of x at the reveal phase. In order to limit Alice's 
attack of this type, we employ the following security cri- 
terion. 

Definition 2 (Binding Condition) A QSC protocol is 
a-binding ifJ2 x e{o i}nP<c — ^° '> where p x is the probabil- 
ity that Alice is able to successfully reveal x G {0, 1}" at 
the reveal phase. 

For purely classical protocol without any special assump- 
tion, such as computational intractability or rclativis- 
tic constraints, a + b > n always holds. This can be 
shown in a similar way to the proof of the impossibility 
of information-theoretically secure bit commitment [1 1\ . 
Hence, as long as a + b < n is satisfied, we consider a 
quantum protocol to be nontrivial. 



III. GROUP COVARIANT PROTOCOL 



of x she chooses, and sends its second half (in Hb) 
to Bob. 

• {Reveal Phase) Alice sends to Bob the remaining 
half of her state. Honest Bob measures it projec- 
tively with respect to \ip x ), and outputs ACCEPT 
if and only if the outcome is correct. 

Bob's view at the end of the commit phase is of course 
p x = Tr A\ip x ){ip x \. Thus according to Dcfinion 1, the 
secrecy is measured by the accessible information I acc (£) 
for the ensemble £ :— {p x ,p x }. 



2. Binding Condition 

For the above scheme, Alice's cheating strategy can 
always be formulated as follows. As in the proof of the 
no-go theorem of quantum BC0,|3|, it is convenient to 
adopt the decoherence point of view by introducing a suit- 
able environment Hilbert space. Then without loss of 
generality, we may assume that the state shared between 
two parties at the end of the commit phase is a pure state 
I*) G H^®Hb- Here the dimension of H^ is assumed to 
be arbitrary, say d^. Subsequently in reveal phase, Alice 
performs generalized quantum operations \J\ on H^, 

O x := {E xi | i=l,...,m}, (1) 

m 
i=l 

which depend on the value of x that she wishes to reveal, 
and sends the obtained quantum state to Bob. Quantum 
operation O x yields classical outcome i with probability 

:=Tr^ [E x ^)(^\El , 

as a result of which Bob obtains E x A^)(^\E* xi /q x i. Bob 
then measures it projectively with respect to \ipx), and 
accepts x with probability p x = J2i KV'^l^il^')! 2 - Hence 
the binding condition is measured by 



^max^max^KV'xI^I*)! 2 - (2) 

x i 
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Basic Scheme 



1. Description 

From now on, we restrict ourselves to the following 
type of QSC protocols. This scheme allows us to con- 
vert an arbitrary ensemble of states £ = {p x ,p x } to a 
corresponding QSC protocol in a straightforward way. 
Moreover, as will be shown below, it is general enough 
to incorporate all previous QSC protocols appearing in 
preceding literatures without sacrificing security. 

• ( Commit Phase) Honest Alice generates a state vec- 
tor \ip x ) £ Ha 8> Hb, which depends on the value 



3. Relation to The Existing Protocols. 

Here we show that all previous QSC protocols appear- 
ing in preceding literatures |J, |3, |6| can be converted to 
our basic scheme without sacrificing security. 

This is trivial for those protocols defined in Ref.0,0, 
where honest Alice sends to Bob a pure state which is 
not entangled with any of her state. In this case Ha is 
considered as a one-dimensional vector space. 

The conversion is also possible for LOCKCOM-type 
QSC protocols[(j, where the sender is supposed to choose 
random number i £ {1, . . . , R} besides x, and send Ui\x) 
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in commit phase, with Ui being a unitary operator. For 
such protocols, one simply needs to choose \ip x ) for the 
converted protocol as 

\ipx) ■= TTf^I ® Ui\x) B . 

v i 

This is a purification of p x of the original protocol, 
i.e., p x = j{J2i=i u i\ x )BB(x\U} and p x = Tr\ip x )(ip x \. 
Clearly, secrecy is not changed with such conversion. 
Binding can also be guaranteed due to the following ar- 
gument; In the reveal phase of the original protocol, Bob 
uses an operator 

P = ^\i)AA{i\®Ui\x) B B{x\U} 
i 

to test the state obtained, while for the converted version 
P = \ip x )(' t Px\ is used. P and P are projection operators 
commuting with each other and P is of smaller rank. 
Thus any strategy by Alice for the converted protocol 
will always give an equal or higher success probability 
when applied to the original protocol. 

B. Group Covariant Protocols 

If we restrict ourselves to group covariant protocols, to 
be defined shortly, we can in fact calculate the maximum 
value of ^2 x p x exactly. This is because, as we will show 
below, any cheating strategy by malicious Alice is equiv- 
alent to choosing |*) of Eqn.© such that p = Tr a 
is a group invariant state. Especially when a protocol is 
invariant under an irreducible representation of group G, 
it means that p must be proportional to unit vector I<j 
and this fact greatly simplifies calculations. 

1. Irreducible Representation 



In the rest of this paper, we will refer to a QSC proto- 
col as group covariant protocol if it possesses p x s trans- 
forming covariantly and transitively under an irreducible 
representation of a finite group G. 



2. Symmetrized Strategy 

Using the above notations, we shall show that any 
strategy used by a malicious Alice can always be con- 
verted into an equally effective form in which she com- 
mits a symmetric state. 

As explained in the paragraph around Eqn.JIJ, Alice's 
cheating strategy can always be characterized by state 
1 9) G H A ® H B that she generates during commit phase 
and the set of quantum operations given in Eqn.QJ. The 
first key observation is that instead of using |^), she may 
as well introduce an ancillary Hilbert space Ha> and gen- 
erate 

vN gee 

with D B (g) acting on H B . The set of states {\g)A'} g eG 
form an orthogonal basis labeled by G, (g\g')A' — $g,g'- 
With such |$), Alice can achieve a value of J2 x p x at 
least equal to the original attack, e.g., by first measuring 
\g) A ' in the reveal phase, and then operating on H A with 
O x with a permuted value of x. Note that in this case 
D B (<?) merely permutes the values of p x and the sum of 
p x remains unchanged. 

On the other hand, |$) as seen from Bob, or a := 
Tr A , is clearly invariant under G, meaning that 

it must be proportional to the unit matrix, a — ILj/d. 
Hence Alice's best strategy during commit phase is to 
send Bob the maximally entangled state 



As a preliminary to this result, we introduce some ter- 
minology of group theory Representation D of a 
group G is a set of matrices {D(g) \g £ G}, satisfying 
V<7i, V<72 € G, D(gi)D(g2) — D{g\g2)- In what follows we 
suppose that D(g)'s are d x d unitary matrices operating 
on G?-dimensional vector space H B . Representation D is 
irreducible when no nontrivial vector subspace of H B is 
invariant under G. It is a direct consequence of Shur's 
lemma that for irreducible D, a d x d matrix M com- 
mutes with D(g), V<? G G iff M is proportional to the 
unit matrix 1^. 

Bob's view { p x | x G {0,1}™}, which we introduced 
above, is called covariant if it is invariant as a set under 
operations of G. In other words, 

Vx,V<? G G,3zj, p y = D{g)p x D\g). (3) 

The action of G on a covariant set {p x } is called transitive 
if for all x and y there exists g G G such that p y = 
D{g)p x D\g). 



|$me) := —>= ^2 \ a )^ ® \a) B . 

v a—l 

Subsequently in reveal phase, Alice's operations in gen- 
eral can be described, as in the original attack, by a set 
of operators O x , as defined in Eqn.QJ, although the ac- 
tual form of O x 's achieving the maximum Px ma y n0 * 
be the same as those used in the original attack. Hence 
without loss of generality, we may assume p x takes the 
form 

m 

p x = max^ \{ipx\Exi\&ME)\ ■ 

l—l 

It is easy to see that due to the symmetry properties of 
our protocol, the maxima of p x s are all equal for any 
value of x. Thus it remains to maximize p x for an arbi- 
trarily chosen value of x, say Pq. 
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3. Maximizing po 



C. Example: Tetrahedral Encoding 



Recall that |$me) is invariant under Ua ® Ub with 
U A being an arbitrary unitary transformation and U b 
its complex conjugate. Thus by appropriate choice of or- 
thonormal bases and {|^q)} and using the Schmidt 

decomposition, we can rewrite |$me) and \ipo) as 



|$Me) = ^^j=\^ a )A®\^a)B 

Wo) 



£ 



KWa)A ® |/ia)B; 



where A a 's are the eigenvalues of po, and by symmetry, 
of all p K 's. Then by decomposing as 



E 0l =Y,K b K)(Pa\ 



Po can be expressed as 



Po 



-T 



V N* A 1/2 



with 



It is convenient to interpret the diagonal elements of 
N l ab as an m-dimensional vector v a = (N^ a , . . . , iV™). 
The lengths of Va's are smaller than one since \v a \ 2 < 
HiHb\ N ba\ 2 = 1- Witn this property, p can be 
bounded from above as 



Po 



i 

< - 

- d 



/2 



< 



/2 



Jab- 



with the equality holding for m = 1 and iV^ 
Summarizing the above, we obtain the following theorem. 

Theorem 1 (Exact Upperbound on Binding) For 

a group covariant QSC protocol, and X a 's being the 
eigenvalues of p x , 

2 

2™ 



< 



/2 



(4) 



luii/i i/ie equality holding for Alice 's attack using the max- 
imally entangled state. 

In terms of Renyi entropy S a , Eqn. Q can be rewritten 
in a form similar to Theorem 2 of Ref . 6] : 



log fefcj ^ n - - S i/M] , 



(5) 



where Si/2(-) denotes Renyi entropy for a = 1/2. The 
mixed state p is defined as p = *^2 x PxPx = ^/d. 



As an application of Theorem 1, we consider p x s co- 
variant under the tetrahedral group0- 
Define qubit states 




with co = e 2 ™/ 3 . These four states are covariant under 
an irreducible representation of the tetrahedral group T, 
which we will denote as D(g), for g 6 T [T^ . Now assume 
that n is an even number. Also define \ip x ) £ Hb as 



\~4>x) ■= IC;^!^} 



® |£; x n ^ \x r , 



and let Ha be a one-dimensional complex vector state. 
That is, honest Alice is supposed to send Bob pure state 
\ip x ) in commit phase. 

Such p x s are covariant under G := T x • • ■ x T with its 
irreducible representation D(gi) ® • ■ • ® D(g n m). Thus 
applying Theorem 1 obtained above, we readily find the 
exact upper bound on binding; ^2 x p x < 2™/ 2 . In other 
words, this protocol is n/2-binding. 

Secrecy can also be calculated exactly. Alice's com- 
mitment is n/2 independent draws of an ensemble £ = 
{Pi = |) |£; *)} with i = 1, . ..,4, and the accessible infor- 
mation for such case is known to be additive, I acc (£®%) = 
§-f a cc(£) llHHI Due to this fact and by using the exact 
value iacc(£) = log f f° r the tetrahedral statesQ, we find 
that this protocol is ^ log |-binding. 

In summary, we have a = § and b = ^ log | satisfying 
n > a + b, which is impossible classically. 



IV. SECRECY OF COVARIANT PROTOCOLS 

At the end of the previous section, we studied a QSC 
protocol transforming covariantly under the tetrahedral 
group and it turned out to be nontrivial, that is, a clas- 
sically impossible protocol. As we will show below, in 
fact this is not a coincidence but rather a consequence of 
symmetric properties of our protocols. 

In this section, by focusing on the cases where all p x s 
are pure states, and with the help of the results ob- 
tained in the preceding literatures on the information- 
theoretic optimum detection problem with covariant in- 
put states jg, we will show the following theorem. 

Theorem 2 For covariant protocols with pure p x 's, ei- 
ther of the following cases holds: 

1. The protocol is equivalent to a purely classical pro- 
tocols, i.e., all transactions occurring between Alice 
and Bob are done in computational basis. 

2. The protocol is nontrivial, i.e., it satisfies a + b < n 
with strict inequality. 



5 



Proof of Theorem. As for secrecy, there are useful formula 
giving classical mutual information / acc in a very simple 
form. The most relevant among them for our purpose 
is Lemma 6 of Ref.Q, which reads in our notation as 
follows. 

Lemma 1 For a covariant encoding scheme, the maxi- 
mum value of accessible information / acc is given by 

/ace = l0gd+ ^2(<p\Pg\(p)\Og((p\p g \<p), (6) 

1 1 see 

where \<p) is an appropriately chosen state vector. 

Mixed state p g appearing in 10 is indexed by a group 
element g £ G and is defined as p g :— D(g)p n D^ '(g), 
where po denotes p x with x — 0. According to Eqn.(|3J), 
every p g equals some p x but the correspondence is not 
necessarily one-to-one. 

Now note that for pure p x , the log on the RHS of 
Inequality Q equals n — logd On the contrary, the 
second term on the RHS of © is clearly no more than 
zero, and so, as long as there is at least one nonzero 
element in the sum of ©, the protocol is nontrivial. Thus 
it remains to show that a trivial case is always equivalent 
to a classical protocol. 

Clearly, with p g being a pure state, (ip\p g \(p) can 
be rewritten as (ip\p g \ip) — \((p\D(g)\ipo}\ 2 with po — 
\ifjo}(tpo\- Then if we suppose that the sum of © is 
strictly zero, |(</?|-D(g)|-0)| 2 = or 1 should hold for all 
g £ G. Since this quantity should be nonzero at least 
for one group element g £ G, without loss of general- 
ity we may assume \ip) — |"0o) - Hence we have \fg £ G, 
\(ifjo\D(g)\%p }\ 2 — or 1. This means that \ip x ) defined 
by Px = \4 > x){'4 > x\ ar e all orthogonal to each other since 
any \ifj x ) can be described as D(g)\ifjo) for some g £ G 
due to irreduciblilty of D. This completes the proof. 

By choosing an arbitrary irreducible representation D 
of a group G, and with an arbitrary choice of a pure state 
vector we can always construct a QSC protocol that 



uses D(g)\ip) as commitment states. Moreover, it is clear 
that for any choice of G and D, there always exists \tp), 
such that D(g)\ijj) , s do not form a orthonormal basis, in 
which case the obtained QSC protocol is nontrivial due to 
this Theorem. Thus we also have the following corollary. 



Corollary 1 For any irreducible representation D of any 
finite group G, there always exists a nontrivial QSC pro- 
tocol with a + b < n. 



V. SUMMARY 

In this paper, we introduced a class of QSC protocols 
and studied its security in terms of the security criteria 
given by Buhrman et al.jfj. In particular, we considered 
group covariant protocols and showed how to calculate 
the exact upper bound on its binding conditions. Then 
combining this result with the previously known theo- 
rems for the quantum optimum detection problem, we 
proved that for every irreducible representation of a fi- 
nite group G, there always exists a nontrivial QSC proto- 
col. In other words, we demonstrated how to construct 
infinitely many types of nontrivial QSC protocols with 
a + b < n. 

A question that arises naturally is for what types 
of groups and for which representations we obtain effi- 
cient protocols with strong enough security. In particu- 
lar, in view of cryptographic applications, such as zero- 
knowledge proof or message authentication, a/n and b/n 
should be minimized. Although Buhrman et al. have 
given a protocol that accomplishes arbitrarily small a/n 
and b/n, their protocol is not efficient. On the contrary 
for group covariant schemes as given here, the obtained 
protocols are most likely efficient. Hence it is interest- 
ing to investigate our result for other explicit examples 
of finite groups. 
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